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Abstract 


We present a formal system for proving the partial correctness of 
a single-pass instruction sequence as considered in program algebra 
by decomposition into proofs of the partial correctness of segments of 
the single-pass instruction sequence concerned. The system is similar 
to Hoare logics, but takes into account that, by the presence of jump 
instructions, segments of single-pass instruction sequences may have 
multiple entry points and multiple exit points. It is intended to support 
a sound general understanding of the issues with Hoare-like logics for 
low-level programming languages. 


Keywords: Hoare logic, asserted single-pass instruction sequence, 
soundness, completeness in the sense of Cook. 


1 Introduction 


In [15], Hoare introduced a kind of formal system for proving the partial cor- 
rectness of a program by decomposition into proofs of the partial correctness 
of segments of the program concerned. Formal systems of this kind are now 
known as Hoare logics. The programs considered in [15] are programs in a 
simple high-level programming language without goto statements. Hoare 
logics for this simple high-level programming language and extensions of it 
without goto statements have been extensively studied since (see e.g. [8, 9, 11] 
for individual studies and [1] for a survey). Hoare logics and Hoare-like 


‘Informatics Institute, Faculty of Science, University of Amsterdam, Science Park 904, 
1098 XH Amsterdam, the Netherlands, E-mail: {J.A.Bergstra,C.A.Middelburg}@uva.nl. 


126 J.A. Bergstra, C.A. Middelburg 


logics for simple high-level programming languages with goto statements 
have been studied since as well (see e.g. [12, 10, 25]). 


Work on Hoare-like logics for low-level programming languages started 
only recently. All the work that we know of takes ad hoc restrictions and 
features of machine- or assembly-level programs into account (see e.g. [19]) or 
abstracts in an ad hoc way from instruction sequences as found in low-level 
programs (see e.g. [21]). We consider it important for a sound understanding 
of the issues in this area to give consideration to generality and faithfulness 
of abstraction instead. This is what motivated us to do the work presented 
in this paper. 

We present a Hoare-like logic for single-pass instruction sequences 
as considered in [2]. The instruction sequences in question are finite or 
eventually periodic infinite sequences of instructions of which each instruction 
is executed at most once and can be dropped after it has been executed 
or jumped over. We will come back to the choice for those instruction 
sequences. The presented Hoare-like logic has to take into account that, by 
the presence of jump instructions, segments of instruction sequences may 
have multiple entry points and multiple exit points. Because of this, it is 
closer to the inductive assertion method for program flowcharts introduced 
by Floyd in [14] than most other Hoare and Hoare-like logics. 


The asserted programs of the form {P}5 {Q} of Hoare logics are re- 
placed in the presented Hoare-like logic by asserted instruction sequences of 
the form {b: P} S{e:Q}, where 6 and e are a positive natural number and a 
natural number, respectively. P and Q are regular pre- and post-conditions. 
That is, they concern the input-output behaviour of the instruction sequence 
segment S. Loosely speaking, b represents the additional pre-condition that 
execution enters the instruction sequence segment S' at its bth instruction 
and, if e is positive, e represents the additional post-condition that either 
execution exits the instruction sequence segment S' by going to the eth in- 
struction following it or becomes inactive in S. In the case that e equals zero, 
e represents the additional post-condition that execution either terminates 
or becomes inactive in S (instructions sequences with explicit termination 
instructions are considered). 


The form of the asserted instruction sequences is inspired by [25]. 
However, under the interpretation of [25], e would represent the additional 
post-condition that execution reaches the eth instruction following the first 
instruction of the instruction sequence segment concerned. Because this 
may be an instruction before the first instruction following the segment, 
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this interpretation allows of asserted instruction sequences that concern the 
internals of the segment. For this reason, we consider this interpretation not 
conducive to compositional proofs. 

In other related work, e.g. in [21], the additional pre- and post-condition 
represented by b and e must be explicitly formulated and conjoined with 
the regular pre- and post-condition, respectively. This alternative reduces 
the conciseness of pre- and post-conditions considerably. Moreover, an effect 
ensuing from this alternative is that assertions can be formulated in which 
aspects of input-output behaviour and flow of execution are combined in 
ways that are unnecessary for proving partial correctness. For these reasons, 
we decided not to opt for this alternative. 

There is a tendency in work on Hoare-like logics to use a separation 
logic instead of classical first-order logic for pre- and post-conditions to deal 
with programs that alter data structures (see e.g. [20]). This tendency is 
also found in work on Hoare-like logics for low-level programming languages 
(see e.g. [17]). Because our intention is to present a Hoare-like logic that 
supports a sound general understanding of the issues with Hoare-like logics 
for low-level programming languages, we believe that we should stick to 
classical first-order logic until it proves to be inadequate. This is the reason 
why classical first-order logic is used for pre- and post-conditions in this 
paper. 

As mentioned before, the presented Hoare-like logic concerns single-pass 
instruction sequences as considered in [2]. It is often said that a program is 
an instruction sequence and, if this characterization has any value, it must be 
the case that it is somehow easier to understand the concept of an instruction 
sequence than to understand the concept of a program. The first objective 
of the work on instruction sequences that started with [2], and of which an 
enumeration is available at [18], is to understand the concept of a program. 
The basis of all this work is an algebraic theory of single-pass instruction 
sequences, called program algebra, and an algebraic theory of mathematical 
objects that represent in a direct way the behaviours produced by instruction 
sequences under execution, called basic thread algebra.” The body of theory 
developed through this work is such that its use as a conceptual preparation 
for programming is practically feasible. 

The notion of an instruction sequence appears in the work in question as 
a mathematical abstraction for which the rationale is based on the objective 


In [2], basic thread algebra is introduced under the name basic polarized process 
algebra. 
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mentioned above. In this capacity, instruction sequences constitute a primary 
field of investigation in programming comparable to propositions in logic 
and rational numbers in arithmetic. The structure of the mathematical 
abstraction at issue has been determined in advance with the hope of 
applying it in diverse circumstances where in each case the fit may be 
less than perfect. Until now, this work has, among other things, yielded 
an approach to computational complexity where program size is used as 
complexity measure, a contribution to the conceptual analysis of the notion 
of an algorithm, and new insights into such diverse issues as the halting 
problem, garbage collection, program parallelization for the purpose of 
explicit multi-threading and virus detection. 

Judging by our experience gained in the work referred to above, we 
think that generality and faithfulness of abstraction are well taken into 
consideration in a Hoare-like logic for single-pass instruction sequences as 
considered in [2]. This explains the choice for those instruction sequences. 
As in the work referred to above, the work presented in this paper is carried 
out in the setting of program algebra and basic thread algebra. 

This paper is organized as follows. First, we give a survey of program 
algebra and basic thread algebra (Section 2) and a survey of the extension of 
basic thread algebra that is used in this paper (Section 3). Next, we present 
a Hoare-like logic of asserted single-pass instruction sequences (Section 4), 
give an example of its use (Section 5), and show that it is sound and complete 
in the sense of Cook (Section 6). Finally, we make some concluding remarks 
(Section 7). 

Some familiarity with algebraic specification is assumed in this paper. 
The relevant notions are explained in handbook chapters and books on 
algebraic specification, e.g. [13, 22, 23, 26]. 

The preliminaries to the work presented in this paper (Sections 2 
and 3) are almost the same as the preliminaries to the work presented in [7] 
and earlier papers. For this reason, there is some text overlap with those 
papers. Apart from the preliminaries, the material in this paper is new. A 
comprehensive introduction to what is surveyed in the preliminary sections 
can among other things be found in [5]. 


2 Program Algebra and Basic Thread Algebra 


In this section, we give a survey of PGA (ProGram Algebra) and BTA (Basic 
Thread Algebra) and make precise in the setting of BTA which behaviours are 
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produced by the instruction sequences considered in PGA under execution. 
The greater part of this section originates from [6]. 


In PGA, it is assumed that there is a fixed but arbitrary set 2 of basic 


instructions. The intuition is that the execution of a basic instruction may 
modify a state and produces a reply at its completion. The possible replies 
are f and t. The actual reply is generally state-dependent. The set 2 is the 
basis for the set of instructions that may occur in the instruction sequences 
considered in PGA. The elements of the latter set are called primitive 
instructions. There are five kinds of primitive instructions: 


for each a € 2, a plain basic instruction a; 

for each a € 2, a positive test instruction +a; 
for each a € 2, a negative test instruction —a; 
for each 1 € N, a forward jump instruction #1; 


a termination instruction !. 


We write 3 for the set of all primitive instructions. 


have 


On execution of an instruction sequence, these primitive instructions 
the following effects: 


the effect of a positive test instruction +a is that basic instruction a is 
executed and execution proceeds with the next primitive instruction if 
t is produced and otherwise the next primitive instruction is skipped 
and execution proceeds with the primitive instruction following the 
skipped one — if there is no primitive instruction to proceed with, 
execution becomes inactive; 


the effect of a negative test instruction —a is the same as the effect of 
+a, but with the role of the value produced reversed; 


the effect of a plain basic instruction a is the same as the effect of +a, 
but execution always proceeds as if t is produced; 


the effect of a forward jump instruction #/ is that execution proceeds 
with the /th next primitive instruction — if | equals 0 or there is no 
primitive instruction to proceed with, execution becomes inactive; 


the effect of the termination instruction ! is that execution terminates. 
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Execution becomes inactive if no more basic instructions are executed, but 
execution does not terminate. 

PGA has one sort: the sort IS of instruction sequences. We make this 
sort explicit to anticipate the need for many-sortedness later on. To build 
terms of sort IS, PGA has the following constants and operators: 


e for each u € J, the instruction constant u:— IS; 
e the binary concatenation operator _;_:IS x ISIS; 
e the unary repetition operator _”:IS > IS. 


Terms of sort IS are built as usual in the one-sorted case.? We assume that 
there are infinitely many variables of sort IS, including X,Y, Z. We use 
infix notation for concatenation and postfix notation for repetition. Hence, 
taking these notational conventions into account, the syntax of closed terms 
of sort IS can be defined in Backus-Naur style as follows: 


CT :=a|+a|—a|#l|!| CT; CT | CT’, 


where a € Wand! EN. 

A closed PGA term is considered to denote a non-empty, finite or even- 
tually periodic infinite sequence of primitive instructions.* The instruction 
sequence denoted by a closed term of the form t; t’ is the instruction se- 
quence denoted by t concatenated with the instruction sequence denoted by 
t’. The instruction sequence denoted by a closed term of the form t” is the 
instruction sequence denoted by ¢ concatenated infinitely many times with 
itself. A simple example of a closed PGA term is 


(bar 9625 495051)" 


On execution of the instruction sequence denoted by this term, first the 
basic instruction a is executed repeatedly until its execution produces the 
reply t, next the basic instruction b is executed, and after that execution 
terminates. 

Closed PGA terms are considered equal if they represent the same 
instruction sequence. The axioms for instruction sequence equivalence are 
given in Table 1. In this table, n stands for an arbitrary positive natural 


3Notice that all PGA term are of sort IS. 
4 An eventually periodic infinite sequence is an infinite sequence with only finitely many 
distinct suffixes. 
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Table 1: Axioms of PGA 
(X;Y);Z7=X;(Y;Z) PGAIL 
(xrje = xe PGA2 
XY :Y= Xe PGA3 
(X:Y)"=X:(V;X)" PGAA 


number. For each natural number n, the term ¢", where ¢t is a PGA term, is 
defined by induction on n as follows: t9 = #0, t! = t, and t?+? =t;¢"7!. 
Some simple examples of equations derivable from the axioms of PGA are 


(a; b)*;!=a;(b;a)*, 
+a; (b;(—c; #23;!)*)* =+a;b;(-c; #2;!)”. 


A typical model of PGA is the model in which: 


e the domain is the set of all finite and eventually periodic infinite 
sequences over the set 3 of primitive instructions; 


e the operation associated with ; is concatenation; 


e the operation associated with “ is the operation “ defined as follows: 


— if U is a finite sequence over 3, then U® is the unique infinite 
sequence U’ such that U concatenated n times with itself is a 
proper prefix of U’ for each n € N; 


— if U is an infinite sequence over 3, then U® is U. 


We confine ourselves to this model of PGA, which is an initial model of 
PGA, for the interpretation of PGA terms. In the sequel, we use the term 
PGA instruction sequence for the elements of the domain of this model and 
write len(t), where t is a closed PGA term denoting a finite PGA instruction 
sequence, for the length of the PGA instruction sequence denoted by t. We 
stipulate that len(t) = w if t is a closed PGA term denoting an infinite 
instruction sequence, where n < w for alln EN. 

Below, we will use BTA to make precise which behaviours are produced 
by PGA instruction sequences under execution. 

In BTA, it is assumed that a fixed but arbitrary set A of basic actions 
has been given. The objects considered in BTA are called threads. A 
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thread represents a behaviour which consists of performing basic actions in 
a sequential fashion. Upon each basic action performed, a reply from an 
execution environment determines how the thread proceeds. The possible 
replies are the values f and t. 

BTA has one sort: the sort T of threads. We make this sort explicit to 
anticipate the need for many-sortedness later on. To build terms of sort T, 
BTA has the following constants and operators: 


e the inaction constant D:—- T; 
e the termination constant S:—> T; 


e for each a € A, the binary postconditional composition operator _dal 
at TXT 3 TP. 


Terms of sort T are built as usual in the one-sorted case. We assume that 
there are infinitely many variables of sort T, including x,y. We use infix 
notation for postconditional composition. We introduce basic action prefixing 
as an abbreviation: aot, where t is a BTA term, abbreviates t dat. We 
identify expressions of the form aot with the BTA term they stand for. 

The thread denoted by a closed term of the form t dal?’ will first 
perform a, and then proceed as the thread denoted by t if the reply from 
the execution environment is t and proceed as the thread denoted by ?’ if 
the reply from the execution environment is f. The thread denoted by S 
will do no more than terminate and the thread denoted by D will become 
inactive. A simple example of a closed BTA term is 


(boS)dabD. 


This term denotes the thread that first performs basic action a, if the reply 
from the execution environment on performing a is t, next performs the 
basic action b and after that terminates, and if the reply from the execution 
environment on performing a is f, next becomes inactive. 

Closed BTA terms are considered equal if they are syntactically the 
same. Therefore, BTA has no axioms. 

Each closed BTA term denotes a finite thread, i.e. a thread with a finite 
upper bound to the number of basic actions that it can perform. Infinite 
threads, i.e. threads without a finite upper bound to the number of basic 
actions that it can perform, can be defined by means of a set of recursion 
equations (see e.g. [4]). We are only interested in models of BTA in which 
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Table 2: Axioms for the thread extraction operator 


a|=aoD #1, =D 
a;X|=ao|X| #0;X|=D 
+a|=aoD #1;X|= |X| 
t+a;X|=|X|dab|#2;X| |#l+2;u) =D 
—a|=aoD #14+2;u;X|=|#l4+1;X| 
—a;X|=|#2;X|dab|xX|— |/=S 

1;xX|=S 


sets of recursion equations have unique solutions, such as the projective limit 
model of BTA presented in [5]. We confine ourselves to this model of BTA, 
which has an initial model of BTA as a submodel, for the interpretation of 
BTA terms. In the sequel, we use the term BTA thread or simply thread for 
the elements of the domain of this model. 

Regular threads, i.e. finite or infinite threads that can only be in a 
finite number of states, can be defined by means of a finite set of recursion 
equations. The behaviours produced by PGA instruction sequences under 
execution are exactly the behaviours represented by regular threads, with 
the basic instructions taken for basic actions. The behaviours produced 
by finite PGA instruction sequences under execution are the behaviours 
represented by finite threads. 

We combine PGA with BTA and extend the combination with the 
thread extraction operator |_|: IS — T, the axioms given in Table 2, and the 
rule that |X| = D if X has an infinite chain of forward jumps beginning at 
its first primitive instruction.® In Table 2, a stands for an arbitrary basic 
instruction from 2, u stands for an arbitrary primitive instruction from 
3, and / stands for an arbitrary natural number from N. For each closed 
PGA term t, |t| denotes the behaviour produced by the instruction sequence 
denoted by ¢ under execution. 

A simple example of thread extraction is 


+0; #2; #3;b;!|=(boS)dabD, 


In the case of infinite instruction sequences, thread extraction yields threads 


°This rule, which can be formalized using an auxiliary structural congruence predicate 
(see e.g. [3]), is unnecessary when considering only finite PGA instruction sequences. 
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definable by means of a set of recursion equations. For example, 


\(+a; #2; 7#3;0;!)%| 


is the solution of the set of recursion equations that consists of the single 
equation 
f= (be S) eile, 


3 Interaction of Threads with Services 


Services are objects that represent the behaviours exhibited by components of 
execution environments of instruction sequences at a high level of abstraction. 
A service is able to process certain methods. The processing of a method 
may involve a change of the service. At completion of the processing of a 
method, the service produces a reply value. For example, a service may be 
able to process methods for pushing a natural number on a stack (push:n), 
popping the top element from the stack (pop), and testing whether the top 
element of the stack equals a natural number (topeq:n). Processing of a 
pushing method or a popping method changes the service and produces the 
reply value t if no stack underflow occurs and f otherwise. Processing of a 
testing method does not change the service and produces the reply value t if 
the test succeeds and f otherwise. 

Execution environments are considered to provide a family of uniquely- 
named services. A thread may interact with the named services from the 
service family provided by an execution environment. That is, a thread may 
perform a basic action for the purpose of requesting a named service to 
process a method and to return a reply value at completion of the processing 
of the method. In this section, we extend BTA with services, service families, 
a composition operator for service families, and an operator that is concerned 
with this kind of interaction. This section originates from [4]. 

In SFA, the algebraic theory of service families introduced below, it 
is assumed that a fixed but arbitrary set M of methods has been given. 
Moreover, the following is assumed with respect to services: 


e asignature “is has been given that includes the following sorts: 


— the sort S of services; 


— the sort R of replies; 


and the following constants and operators: 


A Hoare-Like Logic of Asserted Single-Pass Instruction Sequences 135 


— the empty service constant 6:—S; 
— the reply constants f,t,d:— R; 
— for each m € M, the derived service operator at :S—>S; 


— for each m € M, the service reply operator 0, :S > R; 


e a minimal “ig-algebra S has been given in which f, t, and d are 
mutually different, and 


~ Amem oa (2) =z 0m(z)=d > z=6 holds; 
— for each mE M, 32. (z) =5 & Om(z) =d holds. 


> Om 


The intuition concerning ara and g, is that on a request to service s 
to process method m: 


e if Om(s) # d, s processes m, produces the reply @m(s), and then 
proceeds as x(s); 


e if Qm(s) =d, s is not able to process method m and proceeds as 0. 


The empty service 6 itself is unable to process any method. 

The actual services could, for example, be the natural number stack 
services sketched at the beginning of this section. In that case, we take 
the set {NNS, | o € N*} of natural number stack services as the set S of 
services and, for each m € M, we take the functions ao and 0m such that 
(n,n’ EN, o € N*):® 


Fpiczn (NNSc) = NNSno , Opush:in(NNS,) =t, 

525 (NNSna) = NNSo , Opop(NNSnic) =t, 

52g (NNS.) = NNS , Opop(NNS.) =f , 

Teacagn (NNSn'o) = NNS no ’ Otopeg:n(NNSn/c) =t ifn= n! ; 
Otapegn( NNSnie) =f ifn f n! ; 

meocegn (NS) = NNS, , biondaw NNGe) = F 

x2 (NNSo) =06 ifm¢é Myns, Om(NNS,) =d ifm ¢ Mwyns , 


where Mywg = {push:n | n € N} U {pop} U {topeg:n | n € N}. 
It is also assumed that a fixed but arbitrary set F of foci has been 
given. Foci play the role of names of services in a service family. 


®We write « for the empty sequence and no for the sequence o with n prepended to it. 


136 J.A. Bergstra, C.A. Middelburg 


Table 3: Axioms of SFA 


u@bd=u SFC1 Or (0) = SFE1 
u@v=veu SFC2 Or(f.z)=0 if feF SFE2 
(u@v)@w=uG(v@w) SFC3 Or(f.z)=fiz f féF SFE3 
f.z@Of.2’ =f.6 SFC4 Or(u® v) = Op(u) ® Or(v) SFE4 


SFA has the sorts, constants and operators from “ig and in addition 
the sort SF of service families and the following constant and operators: 


e the empty service family constant — :— SF; 


e for each f € F, the unary singleton service family operator f._:S > 
SF; 


e the binary service family composition operator _@_:SF x SF > SF; 
e for each F' C ¥, the unary encapsulation operator Of: SF > SF. 


We assume that there are infinitely many variables of sort S, including z, 
and infinitely many variables of sort SF, including u,v,w. Terms are built 
as usual in the many-sorted case (see e.g. [22, 26]). We use prefix notation 
for the singleton service family operators and infix notation for the service 
family composition operator. We write @j_, ti, where t),...,t, are terms 
of sort SF, for the term t] ®... Oth. 

The service family denoted by 0) is the empty service family. The service 
family denoted by a closed term of the form f.t consists of one named service 
only, the service concerned is the service denoted by t, and the name of 
this service is f. The service family denoted by a closed term of the form 
t@t’ consists of all named services that belong to either the service family 
denoted by t or the service family denoted by t’. In the case where a named 
service from the service family denoted by ¢ and a named service from the 
service family denoted by ¢’ have the same name, they collapse to an empty 
service with the name concerned. The service family denoted by a closed 
term of the form Opf(t) consists of all named services with a name not in F’ 
that belong to the service family denoted by t. 

The axioms of SFA are given in Table 3. In this table, f stands for an 
arbitrary focus from F and F stands for an arbitrary subset of #. These 
axioms simply formalize the informal explanation given above. 
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Table 4: Axioms for the apply operator 


Seu=u Al 
Deu=9 A2 
(xd f.mb y) eds (u) =0 A3 
(aI fmby)e(ft® Ay (u)) =ee(f.g5t Op)(u)) if om(t)=t A4 
(a if.mb y)e (ft py (u)) =ye (f- got ® AF (u)) if Om(t) =f AS 
(cx ifmb y)e(ft@ Apy(u)) =0 if Om(t) =d A6 


For the set A of basic actions, we now take the set {f.m | f € F, 
m € My}. Performing a basic action f.m is taken as making a request to the 
service named f to process method m. 

We combine BTA with SFA and extend the combination with the 
following operator: 


e the binary apply operator _e_:T x SF > SF; 


and the axioms given in Table 4. In this table, f stands for an arbitrary 
focus from *, m stands for an arbitrary method from M, and ¢ stands for an 
arbitrary term of sort S. The axioms formalize the informal explanation given 
below and in addition stipulate what is the result of apply if inappropriate 
foci or methods are involved. We use infix notation for the apply operator. 

The service family denoted by a closed term of the form tet’ is the 
service family that results from processing the method of each basic action 
performed by the thread denoted by t by the service in the service family 
denoted by t’ with the focus of the basic action as its name if such a service 
exists. When the method of a basic action performed by a thread is processed 
by a service, the service changes in accordance with the method concerned 
and the thread reduces to one of the two threads that it can possibly proceed 
with dependent on the reply value produced by the service. 


In the case of the stack services described earlier in this section, the 
following two equations are simple examples of derivable equations: 


((nns.pop o S) <nns.topeq:05 S) enns.NNSoo = nns.NNS, , 
((nns.pop o S) <nns.topeq:05 S) enns.NNS;, = nns.NNSj, . 
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4 Hoare-Like Logic for PGA’ 


In this section, we introduce a formal system for proving the partial cor- 
rectness of instruction sequences as considered in PGA. Unlike segments of 
programs written in the high-level programming languages for which Hoare 
logics have been developed, segments of single-pass instruction sequences 
may have multiple entry points and multiple exit points. Therefore, the 
asserted programs of the form {P}S{Q} of Hoare logics fall short in the 
case of single-pass instruction sequences. The formulas in the formal system 
introduced here will be called asserted instruction sequences. 

We will look upon foci as (program) variables. This is justified by the 
fact that foci are names of objects that may be modified on execution of an 
instruction sequence. The objects concerned are services. What is assumed 
here with respect to services is the same as in Section 3. This means that 
a signature is that includes specific sorts, constants and operators and a 
minimal “is-algebra S that satisfies specific conditions have been given. 

In the formal system introduced here, classical first-order logic with 
equality is used for pre- and post-conditions. The particular choice of log- 
ical constants, connectives and quantifiers does not matter. However, for 
convenience, it is assumed that the following is included: (a) the constants 
T (for truth) and F (for falsity), (b) the connectives — (for negation), A (for 
conjunction), V (for disjunction), and = (for implication), (c) the quantifiers 
Y (for universal quantification) and J (for existential quantification). 

We write £g for the many-sorted first-order language with equality over 
the signature is where free variables of sort S belong to the set F. Moreover, 
we write Cyg for the set of all closed terms of sort IS in the case where the 
set {f.m| f € F,m € M} is taken as the set 21 of basic instructions. 

An asserted instruction sequence is a formula of the form {b: P} S {e:Q}, 
where S € Cys, P,Q € Ls, bE Nt, ande € N.® The intuitive meaning of an 
asserted instruction sequence {b: P} S {e: Q} is as follows: 


e if b < len(S) and e > 0, the intuitive meaning is: 


if execution enters the instruction sequence segment S' at its 
bth instruction and P holds when execution enters S, then 
either execution becomes inactive in S' or execution exits 


"The term “Hoare-like logic”, which stands for “logic like Hoare” if taken literally, is 
widely used since 1981 with the meaning “logic like Hoare logic” and we conform to this 
usage. 

8We write N* for the set {n € N| n> O}. 
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S by going to the eth instruction following S and Q holds 
when execution exits S; 


e if b < len(S) and e = 0, the intuitive meaning is: 


if execution enters the instruction sequence segment S at 
its bth instruction and P holds when execution enters S, 
then either execution becomes inactive in S or execution 
terminates in S and Q holds when execution terminates 
in S;? 


e if b> len(S), an intuitive meaning is lacking. 


For convenience, we did not exclude the case where b > len(S). Instead, we 
made the choice that any asserted instruction sequence {b: P} S{e:Q} with 
b > len(S) does not hold (irrespective of the choice of S). 

Before we make precise what it means that an asserted instruction 
sequence holds in S, we introduce some special terminology and notation. 

In the setting of PGA, what we mean by a state is a function from a 
finite subset of F to the interpretation of sort S in S. Let F C F be such 
that F is finite. Then a state representing term for F' with respect to S isa 
closed term t of sort SF for which, for all f € F’, O¢}(t) = t does not hold 
in the free extension of S to a model of SFA. Notice that 0; >) (t) = ¢ does 
not hold iff the interpretation of t is a service family to which a service with 
name f belongs. Let P € Lg, and let F’ be the set all foci that belong to 
the free variables of P. Then a state representing term for P with respect 
to S is a closed term t of sort SF that is a state representing term for F” 
with respect to S. Let S € Cys, and let F” be the set all foci that occur in 
S. Then a state representing term for S' with respect to S is a closed term t 
of sort SF that is a state representing term for F” with respect to S. 

We write P{t], where t is a state representing term for P with respect to 
S, for P with, for each f € Ff, all free occurrences of f replaced by a closed 
term ¢’ of sort S such that t = f.t’ @ 0; ;(t) holds in the free extension of S 
to a model of SFA. Thus, the interpretation of the term t’ replacing the free 
occurrences of f is the service associated with f in the state represented 
by t. Notice that an equation between terms of sort SF holds in the free 
extension of S to a model of SFA iff it is derivable from the axioms of SFA. 


Recall that execution becomes inactive if no more basic instructions are executed, but 
execution does not terminate. 
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We write |S|po for |#b; S| and |S|,,-, where e > 0, for |#b; 5S; a(e)| 
where, for each n > 0, a(n) is defined by induction on n as follows: o(1) =! 
and o(n + 1) = #0;0(n). In the case where b < len(S') < w and e > 0, 
the thread denoted by |S|,,- represents the behaviour that differs from the 
behaviour produced by the instruction sequence segment S in isolation if 
execution enters the segment at its bth instruction only by terminating 
instead of becoming inactive if execution exits the segment by going to the 
eth instruction following it. This adaptation of the behaviour is a technicality 
by which it is possible to obtain the state at the time that execution exits 
the segment by means of the apply operation e. 

An asserted instruction sequence {b: P} S{e: Q} holds in S, written 
S = {b: P} S{e: Q}, if b < len(S) and for all closed terms ¢ and t’ of sort 
SF that are state representing terms for P, Q, and S with respect to S: 


S — P{t] implies Mg — |S|p,-/ et = 0 for all e’ EN withe Ze’ 
and 
S — Plt] and Ms — |S|,p-et =? imply S — Qt, 


where Msg is the model of the combination of PGA, BTA, and SFA extended 
with the thread extraction operator, the apply operator, and the axioms for 
these operators such that the restrictions to the signatures of PGA, BTA, 
and SFA are the initial model of PGA, the projective limit model of BTA, 
and the free extension of S to a model of SFA, respectively. The existence 
of such a model follows from the fact that the signatures of PGA, BTA, and 
SFA are disjoint by the amalgamation result about expansions presented as 
Theorem 6.1.1 in [16] (adapted to the many-sorted case). The occurrences 
of S in the above definition can be replaced by Msg. 

Notice that for all S € Cyg, Q € Lg, b € Nt with b < len(S), and 
e EN, SE {b: F} S{e:Q}. However, there exist S € Cig, PE Ls, bE NT 
with b < len(S), and e € N such that S F {b: P} S{e: T}. This is the case 
because, if execution enters the instruction sequence segment S at its bth 
instruction and P holds when execution enters S, then there may be no 
unique way in which execution exits S and, if there is a unique way, it may 
be by going to another than the eth instruction following S. 

We could have dealt with the above-mentioned non-uniqueness by sup- 
porting multiple exit points in asserted instruction sequences. In that case, we 
would have asserted instruction sequences of the form {b: P} S {e1,...,en:Q} 
satisfying S — {b: P}S{e1,...,en: Q} iff S & {b: P} S{e;: Q} for all 
i € {1,...,n}. This means that it is sufficient to add to the axioms and rules 
of inference of our Hoare-like logic (introduced below) the rules of inference 


A Hoare-Like Logic of Asserted Single-Pass Instruction Sequences 141 


corresponding to this equivalence. These additional rules are such that noth- 
ing gets lost if {b: P} S {e1,...,en : Q} is simply considered a shorthand for 
the set {{b: P} S{e;:Q}|7e {1,...,n}} of asserted instruction sequences. 


The axioms and rules of inference of our Hoare-like logic of asserted 
single-pass instruction sequences are given in Table 5. In this table, 5,51, S>2 
stand for arbitrary closed terms from Cyg, P, P’, P;, Po,..., Q, Q’, Q1, Q2,.-., 
and FR stand for arbitrary formulas from Lg, b, bi, b2,... stand for arbitrary 
positive natural numbers, e,7 stand for arbitrary natural numbers, x, y stand 
for arbitrary variables of some sort in ig, f stands for an arbitrary focus 
from F, and m stands for an arbitrary method from M. Moreover, var(P) 
denotes the set all foci that belong to the free variables of P and var(S) 
denotes the set of all foci that occur in S. We write UV -’ ¢, where W is a finite 
set of asserted instruction sequences and ¢ is an asserted instruction sequence, 
for provability of ¢@ from WV without applications of the repetition rule (R5). 


The axioms concern the smallest instruction sequence segments, namely 
single instructions. Axioms A1l—A8 are similar to the assignment axiom 
found in most Hoare logics. They are somewhat more complicated than 
the assignment axiom because they concern instructions that may cause 
execution to become inactive and, in case of axioms A3—A8, instructions 
that have two exit points. Axioms A9-A11, which concern jump instructions 
and the termination instruction, are very simple and speak for themselves. 


Concatenation needs four rules because instruction sequence segments 
may be prefixed or suffixed by redundant instruction sequence segments in 
several ways. Rule R1 concerns the obvious case, namely the case where 
execution enters the whole by entering the first instruction sequence segment 
and execution exits the whole by exiting the second instruction sequence 
segment. Rule R2 concerns the case where execution exits the whole by exit- 
ing the first instruction sequence segment. Rule R3 concerns the case where 
execution becomes inactive or terminates in the whole by doing so in the first 
instruction sequence segment. Rule R4 concerns the case where execution 
enters the whole by entering the second instruction sequence segment. 


The repetition rule (rule R5) is reminiscent of the recursion rule found 
in Hoare logics for high-level programming languages that covers calls of 
(parameterless) recursive procedures (see e.g. [1]). This rule is actually a rule 
schema: there is an instance of this rule for each k,n > 0 with k <n. In 
many cases, the instance for k = 1 and n = 1 suffices. The need for the rules 
R6—-R9 is not clear at first sight, but without them the presented formal 
system would be incomplete. Although these rules do not explicitly deal 
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Table 5: Hoare-Like Logic of Asserted Single-Pass Instruction Sequences 
Basic INSTRUCTION AXIOMS: 
Al: {1:@m(f) Ad A P[A(f)/f]} f-m{1: P} 
A2: {1:0m(f) =} f-m{0: F} 
POSITIVE TEST INSTRUCTION AXIOMS: 
AB: {Lt 0m(f) =tA PLZ (f)/fl}+f-m{1:P} 
A4: {l:om(f) =fAP[(S)/fl}+f-m{2:P} 
A5: {l:om(f) =d}+f.m{0: F} 
NEGATIVE TEST INSTRUCTION AXIOMS: 
AG: {1: Om(f) =tA Pla (f)/f]}—f.m {2: P} 
AT: {12 0m(f) =f A Pi(f)/f]}—f.m {1 : P} 
A8: {1:om(f) =d}—f.m{0:F} 
FORWARD JUMP INSTRUCTION AXIOMS: 
AQ: {1:P}#i+1 {i+1: P} AlO: {1:T}#0{0: F} 
TERMINATION INSTRUCTION AXIOM: 
All: {1:P}!{0: P} 
CONCATENATION RULES: 
— {b: PHS fi: Qh, {i: Qh So{e: R} . 
se {b: P} $1; Sp {e: R} bao 
_ {b: P}S) {et+len(S2) : Q} : {b: P} Si {0:Q} 
Be PIS elec Se > es, oan Or 
RA: {b: P} Safe: Q} 
* {b+len(S1) : P} $1; So fe: Q} 
REPETITION RULE (for each k,n > 0 with k <n): 
{br : Prt S*{0: Qi}, ---, {Ont Pa S* {O: Qn}! {br : Pi} $3 S° {0: Qi} 


Rod: : 
{bi : Pi} SY {0: Qi},..., {On : Pra} SY {0: Qn} {bn : Pra} S; SY {0: Qn} 
{bz ; Px} SY’ {0 rc Qx} 


ALTERNATIVES RULE: 


RG: {b: P}S{e: R}, {b:Q}S{e: R} 
, {b:PVQ}S{e: R} 


INVARIANCE RULE: 


; {b: P} S{e: Q} 7 
MO Te PRR SeL OME) ee 
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Table 5: (Continued) 


ELIMINATION RULE: 
: {b P} Sie Qs x var var = 
RS: Fae. Py Sfe:Q} {tt 1 (war(S) U var(Q)) =0 
SUBSTITUTION RULE: 
: {b ra Site Qh av var = var => 
RO: Te: Ply/al} Sle: Qly/ayy POS) =O th var(S) =o 
CONSEQUENCE RULE: 
P= FP’, {b: P3S{e:Q'}, Q’ > Q 
{b: P} S{e: Q} 


R10: 


with repetition, they would not be needed for completeness in the absence 
of repetition. 

The consequence rule (rule R10) is found in one form or another in 
all Hoare logics and Hoare-like logics. This rule allows to make use of 
formulas from £g that hold in S to strengthen pre-conditions and weaken 
post-conditions. 

Because there is no rule of inference to deal with nested repetitions, 
it seems at first sight that we cannot have a completeness result for the 
presented Hoare-like logic. However, a closer look at this matter yields 
something different. The crux is that the following rule of inference is 
derivable from rules R3 and R5: 


{b: P} S{0: Q} 
{oP ES? {0: Qh 


We have the following result: 


Theorem 1 Let Th(S) be the set of all formulas of Lg that hold in S. 
Then, for each S € Cig, P,Q E Lg, andbe Nt, SE {b: P} S{0: Q} only 
if there exists an S' € Cig in which the repetition operator occurs at most 
once such that (a) S — {b: P} S’{0: Q} and (b) Th(S) + {b: P} 8’ {0: Q} 
implies Th(S) + {b: P} S{0: Q}. 


Proof: Let S € Cyg be such that the repetition operator occurs at least 
once in $. Then the following properties follow directly from the definitions 
involved ((1) and (2)) and the presented Hoare-like logic ((3) and (4)): 


(1) SE {b: P}S;T{0: Q} implies S — {b: P} S{0: Q}; 
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(2) SE {b: P} SY” {0: Q} implies S E {b: P} S{0: Q}; 


(3) Th(S) + {b: P} S{0: Q} implies Th(S) + {b: P}S;T{0: Q}; 


(4) Th(S) + {b: P} S{0: Q} implies Th(S) + {b: P}S*% {0: Q}. 


Using these properties, the theorem is easily proved by induction on the 
number of occurrences of the repetition operator in S. 


As a corollary of Theorem 1 we have that a completeness result for the set 
of all closed PGA terms of sort IS in which the repetition operator occurs at 
most once entails a completeness result for the set of all closed PGA terms 
of sort IS. 


5 Example 


In this section, we give an example of the use of the Hoare-like logic of asserted 
single-pass instruction sequences presented in Section 4. The example has 
only been chosen because it is simple and shows applications of most axioms 
and rules of inference of this Hoare-like logic (including R6 and R8). 

For S, we take an algebra of services that make up unbounded natural 
number counters. Each natural number counter service is able to process 
methods to increment the content of the counter by one (incr), to decrement 
the content of the counter by one (decr), and to test whether the content of 
the counter is zero (iszero). The derived service and service reply operations 
for these methods are as to be expected. “ig includes the sort N of natural 
numbers, the constant 0:— N, and the unary operators succ: N > N, 
pred: N > N, and nnc:N > S. The interpretation of N, 0, succ, and pred 
are as to be expected. The interpretation of nnc is the function that maps 
each natural number n to the service that makes up a counter whose content 
is n. 

We claim that the closed PGA term (—c.iszero;#2;!;c.decr)” denotes 
an instruction sequence for setting the counter made up by service c to zero. 
That is, we claim {1:T}(—c.iszero ; #2;!; c.decr)” {0: c = nnc(0)}. We 
prove this by means of the axioms and rules of inference given in Table 5. 

It is sufficient to prove 


(1) {1l:¢ = nnc(0) Vc = nnc(n+1)} (—c.iszero ; #2;!; c.decr)”{0:¢= 
nnc(0)} 
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because the claim follows from (1) by R8 and R10. 
First, we prove {1: c = nnc(0)}—c.iszero ; #2;!; c.decr {0: c = nnc(0)}: 


(2) {1: c= nnc(0)}—c.iszero {2: c = nnc(0)} 


(3) {1:¢ = nnc(0)}—c.iszero ; #2{1:c = nnc(0)} 
from (2) by A9 and R2; 
(4) {1:¢ = nnc(0)}—c.iszero ; #2 ;!{0: ¢ = nnc(0)} 
from (3) by All and R1; 
(5) {1: c= nnc(0)}—c.iszero ; #2;!; c.decr {0: c = nnc(0)} 
from (4) by Al and R3. 
Next, we prove {1:c¢ = nnc(n + 1)}—c.iszero ;#2;!;c.decr{0:c¢ = 
nnc(n)}: 
(6) {1:¢ = nnc(n+ 1)} —c.iszero {1:c = nnc(n + 1)} 
by A6; 
(7) {1:¢ = nnce(n+ 1)} —c.iszero ; #2{2:c¢=nnc(n + 1)} 
from (6) by A9 and R11; 


(8) {1:¢ = nnc(n+1)} —c.iszero ; #2;!{1:c=nnc(n+1)} 
from (7) by All and R2; 


(9) {1:¢ = nnc(n+ 1)} —c.iszero ; #2;!; c.decr {0: c = nnc(n)} 
from (8) by Al, R10 and R1. 


Assuming (1), we prove 


{1: c= nnc(0) V c= nnc(n + 1)} 
—c.iszero ;#2;!;c.decr ;(—c.iszero ; #2 ;!;c.decr)” 


{0: c= nnc(0)}: 
(a) {1: c= nnc(0)} 


—c.iszero ;#2;!;c.decr ;(—c.iszero ; #2 ;!;c.decr)” 
{0: c= nnc(0)} 
from (5) by R3; 


(b) {1:¢=nnce(n+1)} 
—c.iszero ;#2;!;c.decr ; (—c.iszero ; #2 ;!; c.decr)” 
{0: c= nnc(0)} 
from (9) by R1; 
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(c) {1:¢ = nnc(0) V c= nnc(n + 1)} 
—c.iszero ;#2;!;c.decr ;(—c.iszero ; #2 ;!; c.decr)” 
{0: c= nnc(0)} 
from (a) and (b) by R6. 


Because (c) has been derived assuming (1), (1) now follows by R5. 

The example given above illustrates that proving instruction sequences 
correct can be quite tedious, even in a simple case. This can be largely 
attributed to the fact that instruction sequences do not need to be structured 
programs and not to the particular Hoare-like logic used. A verification 
condition generator and a proof assistant are anyhow indispensable when 
proving realistic instruction sequences correct. 


6 Soundness and Completeness 


This section is concerned with the soundness and completeness of the Hoare- 
like logic of asserted single-pass instruction sequences presented in Section 4. 
It was assumed in Section 4 that a signature “ig that includes specific sorts, 
constants and operators and a minimal “s-algebra S that satisfies specific 
conditions had been given. In this section, we intend to establish soundness 
and completeness for all algebras that could have been given. It is useful to 
introduce a name for these algebras: service algebras. 

In this section, we write Th(S), where S is a service algebra, for the 
set of all formulas of £g that hold in S. 

The proof of the soundness theorem for the presented Hoare-like logic 
given below (Theorem 2) will make use of the following two lemmas. Recall 
that +’ stands for provability without applications of the repetition rule. 


Lemma 1 Let S be a service algebra, and let k,n € N* be such that k <n. 
Then, for each S,S" € Cig, Pi,.-.,Pn,Q1,---,Qn € Ls, and b,...,bn € 
N* af {bit Pi} 8° 410209} cepa Ph 8? (02 On} Aber Pe} 8 3S? £070 p+ 
then {by 2 Pi}S' {02 Qi}, <~25 {bn 2 Pah S {02Qn} {bn 2 PEELS 39" {0 = Ox}. 


Proof: This is easily proved by induction on the length of proofs, case 
distinction on the axiom applied in the basis step, and case distinction on 
the rule of inference last applied in the inductive step. 


An important corollary of Lemma 1 is that, for all i ¢ N and k € Nt with 
k Ss n, {b1: P,} S” {0:Q1}, =e (Oper at on {0:Qn} P {bp: Pp} S ; se {0:Qz} 
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only if (0) 2 Pi} {02 Oi secs {bn S020, fc 10: Oe) 


Lemma 2 For each service algebra S, set of asserted instruction sequences 
W, and asserted instruction sequence o, Th(S) UWE’ ¢ only if S Ew for 
ally € UV implies SE ¢. 


Proof: This is easily proved by induction on the length of proofs, case 
distinction on the axiom applied in the basis step, and case distinction on 
the rule of inference last applied in the inductive step. 


Lemma 2 expresses that, if the repetition rule is dropped, the axioms and 
inference rules of the presented Hoare-like logic are strongly sound. 

The following theorem is the soundness theorem for the presented 
Hoare-like logic. 


Theorem 2 For each service algebra S and asserted instruction sequence 
@, Th(S) + ¢ implies S E ¢. 


Proof: This is proved by induction on the length of proofs, case distinction 
on the axiom applied in the basis step, and case distinction on the rule of 
inference last applied in the inductive step. The only difficult case is the 
repetition rule (R5). We will only outline the proof for this case. 

The following properties follow directly from the definition of Mg: 


(1) Ms — |S°; #0°|,0 et = 0; 
(2) Ms — |S“|,0 et =U iff there exists an 7 > 0 such that: 


for alk >j, Ms K|S*; #0°|poet =", 

for all k <j, Ms EF |S* ; #0°|p9 et = 0. 
These properties could be largely proved in a formal way if the combined 
algebraic theory of Mg developed in Sections 2 and 3 would be extended 


with projection operators and axioms for them as in [4]. 
The following properties follow directly from properties (1) and (2): 


(a) S & {b: P} 8°; #0" {0: Q}; 
(b) SE {b: P} S* {0: Q} iff, for alli > 0, SK {b: P} S*; #0° {0: Q}. 
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Let k,n € N* be such that k < n, and let S € Cig, Py,...,Ph, 
Qi,-.-,Qn € Lg, and by,...,b, € Nt. Then, from the hypotheses of 
R5 and Lemmas 1 and 2, it follows immediately that, for all i > 0, 
SE {b,: P,}S*; #0°{0: Qi} and... and SE {b, : P,}S*; #0° {0: Qn} 
implies S - {b, : P,} S’+1 ; #0°{0: Q,}. From this and property (a), it fol- 
lows by induction on é that, for all i > 0, S E {bp: Px} S*; #0° {0:Q;,}. From 
this and property (b), it follows immediately that S F {b; : P,} S* {0: Qz}. 
This completes the proof for the case of the repetition rule. 


The line of the proof of Theorem 2 for the case that the rule of inference last 
applied is R5 is reminiscent of the line of the soundness proof in [9] for the 
case that the rule of inference last applied is the recursion rule for calls of 
recursive procedures. In the proof of Theorem 2, S* ; #0° is used instead of 
S* to guarantee that b is never greater than the length of the approximations 
of S”. 

There is a problem with establishing completeness for all service al- 
gebras. In the completeness proof, it has to be assumed that, for each 
service algebra S, necessary intermediate conditions can be expressed in Lg. 
Therefore, completeness will only be established for all service algebras that 
are sufficiently expressive. 

Let S be a service algebra, and let S € Cig, P,Q € Ls, b € Nt and 
e € N. Then Q expresses the strongest post-condition of P and S for b 
and e on S if S — {b: P} S{e: T} and, for each state representing term 
t’ for P, Q, and S with respect to S, S — Q[t’] iff there exists a state 
representing term t for P, Q, and S with respect to S such that S — Pit] 
and Mg — |S|p-et =. 

Let S be aservice algebra. Then the language L¢ is expressive for Ctg on 
S if, for each S € Cig, P€ Ls, bE Nt, ande € N with SE {b: P} S {e:T}, 
there exists a Q € Lg such that Q expresses the strongest post-condition of 
P and S for b and e on S. 

In the above definitions, S E {b: P} S{e:T} is used to express that 
there exists a post-condition of P and S for b and e on S. 


The following remarks about the existence of strongest post-conditions 
may be useful for a clear understanding of the matter. For each S' € Cys, 
P€Lg, and b € N‘, one of the following is the case regarding the existence 
of a strongest post-condition: 


(1) there is no e € N for which there exists a strongest post-condition of 
P and S for b and e; 
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(2) there is exactly one e € N for which there exists a strongest post- 
condition of P and S for 6 and e and the strongest post-condition 
concerned is not equivalent to F; 


(3) there is more than one e € N for which there exists a strongest post- 
condition of P and S for 6 and e and the strongest post-condition 
concerned is equivalent to F. 


We say that execution is convergent in S' if it does not become inactive in 
S. Terminating in S' is one way in which execution may be convergent in 
S, exiting S by going to the eth instruction following S is another way in 
which execution may be convergent in S', and exiting S by going to the e’th 
instruction following S', where e’ ¥ e, is still another way in which execution 
may be convergent in S. Now, (1) is the case if there is more than one way 
in which execution may be convergent in S, (2) is the case if there is exactly 
one way in which execution may be convergent in S, and (3) is the case if 
there is no way in which execution may be convergent in S. 

The proof of the completeness theorem for the presented Hoare-like 
logic given below (Theorem 3) will make use of the following four lemmas. 


Lemma 3 Let S be a service algebra. Then, for each S € Cig, P,Q € Ls, 
bENT, ande EN, SE {b: P} SY {e: Q} only ife =0. 


Proof: This is proved by distinguishing two cases: the repetition operator 
does not occur in S and the repetition operator occurs in S. The former 
case is easily proved by induction on len(S). The latter case follows directly 
from the following corollary of the proof of Lemma 2.6 from [5]: for each 
S' € Cqg in which the repetition operator occurs, there exists an S’ in which 
the repetition operator does not occur such that |S|p¢ = |S’ |p... 


Lemma 3 tells us that execution never exits an instruction sequence segment 
of the form S”. 

The following lemma expresses that the axioms and rules of inference 
of the presented Hoare-like logic are complete for all instruction sequence 
segments of the form S“ only if they are complete for all instruction sequence 
segments. 


Lemma 4 Let S be a service algebra such that Lg is expressive for Cig 
on S. Assume that, for each S € Cig, P,Q € Ls, bE NT, ande EN, 
S — {b: P}S” {e: Q} implies Th(S) + {b: P} SY” {e: Q}. Then, for each 
Seg, P.QELs, bE Nt, ande EN, S & {b: P} S{e: Q} implies 
Th(S) + {b: P} S{e: Q}. 
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Proof: This is proved by induction on the structure of S. The cases 
that S is a single instructions follow, with the exception of the termination 
instruction after a case distinction, directly from one of the axioms (Al—A11) 
and the consequence rule (R10). The case that S is of the form S$ follows 
immediately from the assumption. What is left is the case that S is of the 
form Sj ; S9. 

If S — {b: P} 51 ; So {e:Q}, then it follows from the definitions involved 
that: 


(1) if b < len(S,): for some n > 0, there exist Pi, Ri,...,Pn,Rn € Ls 
and i1,...,%, € N* such that SE P > P,V...V P, and, for each j 
with 1 <7 <n, R; expresses the strongest post-condition of P; and 
S; for b and 2; on S and one of the following is the case: 


(a) 1 <i; < len(S9), 
S & {o: Pj} Si4i;: Ay}, and & & {i : Ry} So fe: G}; 
(b) i; = len(S2) +e, e > 0, 
Ss = {02.5} Sr {igs Be}, and S Ee R; => Q; 
(e) 7=0,e=0, 
Ss = 102.P)}5i {a9 2 Be}, and S Ee R; => Q; 


(2) ifb > len(S;): S — {b— len(S,): P} So {e: Q}. 


Case (1) is proved by distinguishing two subcases: the repetition operator 
does not occur in S$; and the repetition operator occurs in S;. The former 
subcase is easily proved by induction on len(S;). The latter subcase follows 
directly from the above-mentioned corollary of the proof of Lemma 2.6 
from [5] and Lemma 3. In either subcase, the existence of R,;’s that express 
the strongest post-conditions needed is guaranteed by the expressiveness 
property of Lg. Case (2) follows directly from the definitions involved. 

In case (1), Th(S) + {b: P} $1; So{e:Q} follows directly by the in- 
duction hypothesis, the first three concatenation rules (R1—-R3), and the 
alternatives rule (R6). In case (2), it follows directly by the induction 
hypothesis and the last concatenation rule (R4). 


The next lemma tells us that the axioms and inference rules of the 
presented Hoare-like logic is complete if provability can be identified with 
provability from a particular set of asserted single-pass instruction sequences; 
and the second next lemma expresses that the asserted single-pass instruction 
sequences concerned are provable. 
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Lemma 5 Let S be a service algebra such that Lg is expressive for Cig 
on S. For each S € Cys, let ee € F and Weeei e F be 


such that var(S) = CO? scgcga oy and var(S) 9 UR sas 0P ot = Q. For 
each S € Cig and b € N*, let Ps be ce = y? A sth A xe = Gees and 
let Q's» € Lg be such that Q's p expresses the strongest post-condition of 
Ps and S” for b and 0 on S. For each S € Cig and b € N*, let ubgy = 
max{b’ € Nt | b! = bv #0’ occursin S}. Then, for each S’ € Cig, P,Q € Ls, 
and bE Nt, S — {b: P} S’{0: Q} implies Th(S) U {{0': Pg} S* {0: Qo wt | 
b! < ubsp A SY isasubterm of S’} + {b: P} S$” {0: Q}. 


Proof: This is proved by induction on the structure of S’. The cases that 
S’ is a single instruction follow directly from one of the axioms (A2, A5, A8, 
A10, All) and the consequence rule (R10). The case that S$’ is of the form 
S; ; S29 is proved, using the induction hypothesis, in the same way as the 
case of concatenation in the proof of Lemma 4. What is left is the case that 
S’ is of the form S”. 

In the case that S’ is of the form S”, it suffices to show that, for 
each S € Cig, P,Q € Ls, and b € Nt, S — {b: P}S“ {0: Q} implies 
Th(S) U {{b: Po} S* {0: Qc ah} br {b: P} S* {0: Qh. 

Let S € Cig, P,Q € Lg, and b € N*, and let 2,...,2ng € F be 
such that (var(S) U var(P) U var(Q) U {y1,---,Yng}) A {21,---,2ng} = O- 
Moreover, let P; be P[z1/y?].-- ae let Qi be Q[z1/y?] --- as /ueels 
and let Py be Pi[y?/a?]...[y2,/x2.]. In the rest of this proof, a state 
representing term is a closed term of sort SF that is a state representing 
term for P, Q, S, and i sG0R t U {21,..-,2ng} with respect to S. 
Assume S —- {b: P} S” {0: Q}. 

From {b:P¢} S* {0:Q's pf, it follows that {b: Po A Po} S* {0:Q'5,\ Po} (*) 
by the invariance rule (R7). We now show that S - (Qo, A Po) > Q1. 

Let t’ be a state representing term. Assume S — (Q‘, A P2)|t']. By the 
definition of Q’, ,,, there exists a state representing term ¢ such that S |: Pot] 
and Ms = |S“|,9et =t/ and Mg E |S|p,--et = 0 for all e’ € N withe Ze’. 
Suppose S — (— P,)|t]. From this, the just-mentioned properties of t, and 
the soundness of the invariance rule, it follows that S — (= P,)[t/]. This 
contradicts the assumption that S - (Q’ A P2)[t’]. Consequently, S — P.[t]. 
From this, the first of the above-mentioned properties of t, and the fact that 
S| (Pg A P2) => Py, it follows that S | P;[t]. From this, the assumption 
that S — {b: P} S* {0: Q}, and the soundness of the substitution rule (R9), 
it follows that S F Qi [t’]. This proves that S - (Q's, A Po) > Qi (**). 

From (*) and (**), it now follows by the consequence rule (R10) that 
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{b: Pg \ Po} S* {0: Qi}. From this, it follows by the elimination rule (R8) 
that {b: dy?,... ae °(P& A P2)} SY {0: Qi}. From this and the fact that 
SEP, => Ay?,..., up, ° (Pg A Pe), it follows that {b: P,}S” {0: Qi} by 
the consequence rule. From this, it follows that {b: P}S” {0: Q} by the 
substitution rule. 


Lemma 6 Let S and, for each S € Cig and bE Nt, Pg, and Q's, be as in 
Lemma 5. Then, for each S € Cig and b € N*, Th(S) + {b: Pg} S* {0:Q5 4}. 


Proof: Let S € Cig and b € N*. Then, by the definition of Q5,, S 
{b: Pg} S* {0:Q,}- From this, it follows that S — {b: Pg}S;S° {0:Qop} 
because |S“|,9 = |S; S”|)9. From this and Lemma 5, it follows that 
Th(S) U {{b' : Po} S*® (0: Qoy} |W < ubs.sup} F {b: Po} S; 5S” {0: Qe a}, 
where ubg» is defined as in Lemma 5. Because we have proved this for an 
arbitrary 6, it follows by the repetition rule that Th(S) F {b: Pg} S® {0:Q's p}- 


The lines of the proofs of Lemmas 5 and 6, which are mostly concerned 
with repetition, are reminiscent of the lines of the proofs of Lemmas 1 and 2 
from [1], which are mostly concerned with calls of (parameterless) recursive 
procedures. 

The following theorem is the completeness theorem for the presented 
Hoare-like logic. The weak form of completeness that can be proved is known 
as completeness in the sense of Cook because this notion of completeness 
originates from Cook [11]. 


Theorem 3 For each service algebra S such that Lg is expressive for Ctg 
on & and each asserted instruction sequence >, S — $ implies Th(S) ' ¢. 


Proof: This result is an immediate consequence of Lemmas 3-6. 


7 Concluding Remarks 


We have presented a Hoare-like logic for proving the partial correctness of 
a single-pass instruction sequence as considered in program algebra and 
have shown that it is sound and complete in the sense of Cook. We have 
extended the asserted programs of Hoare logics with two natural numbers 
which represent conditions on how execution enters and exits an instruction 
sequence. By that we have prevented that pre- and post-conditions can be 
formulated in which aspects of input-output behaviour and flow of execution 
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are combined in ways that are unnecessary for proving (partial) correctness 
of instruction sequences. We believe that by the way in which we have 
extended the asserted programs of Hoare logics, the presented Hoare-like 
logic remains as close to Hoare logics as possible in the case where program 
segments with multiple entry points and multiple exit points have to be 
dealt with. 

In contrast with most related work, we have neither taken ad hoc 
restrictions and features of machine- or assembly-level programs into account 
nor abstracted in an ad hoc way from instruction sequences as found in 
low-level programs. Moreover, unlike some related work, we have stuck 
to classical first-order logic for pre- and post-conditions. In particular, 
the separating conjunction and separating implication connectives from 
separation logics [20] are not used in pre- and post-conditions Because of 
this, most related work, including the work reported upon in [17, 19, 21], is 
only loosely related. 

Most closely related is the work reported upon in [24, 25]. The form 
of asserted instruction sequences is inspired by [25]. However, as explained 
in Section 1, their interpretation differs somewhat. Moreover, no attention 
is paid to soundness and completeness issues in [25]. An asserted program 
from [24] corresponds essentially to a set of asserted instruction sequences 
concerning the same instruction sequence fragment. The particular form of 
these asserted programs has the effect that proofs using the program logic 
from [24] involve a lot of auxiliary label manipulation. 
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